a7y18lte-ubports/android_kernel_samsung_universal7885
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2558108439
android_kernel_samsung_univ.../net
History
Wei Yongjun 8b18e0e498 ipv6: addrconf: fix dev refcont leak when DAD failed 
commit 751eb6b6042a596b0080967c1a529a9fe98dac1d upstream.

In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:

ndisc_recv_ns
  -> addrconf_dad_failure        <- missing ifp put
     -> addrconf_mod_dad_work
       -> schedule addrconf_dad_work()
         -> addrconf_dad_stop()  <- missing ifp hold before call it

addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.

But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:

IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1

Fixes: c15b1ccadb ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-09-24 10:07:42 +02:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25 AX.25: Close socket connection on session completion 2016-07-11 09:31:12 -07:00
batman-adv
bluetooth Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU 2016-08-20 18:09:19 +02:00
bridge Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address 2016-07-11 09:31:11 -07:00
caif
can
ceph libceph: apply new_state before new_up_client on incrementals 2016-08-10 11:49:29 +02:00
core net_sched: fix mirrored packets checksum 2016-07-27 09:47:31 -07:00
dcb
dccp
decnet
dns_resolver
dsa
ethernet
hsr
ieee802154
ipv4 udp: properly support MSG_PEEK with truncated buffers 2016-09-15 08:27:49 +02:00
ipv6 ipv6: addrconf: fix dev refcont leak when DAD failed 2016-09-24 10:07:42 +02:00
ipx
irda net/irda: fix NULL pointer dereference on memory allocation failure 2016-08-16 09:30:48 +02:00
iucv
key
l2tp l2tp: fix configuration passed to setup_udp_tunnel_sock() 2016-06-24 10:18:17 -07:00
l3mdev
lapb
llc net: fix infoleak in llc 2016-05-18 17:06:40 -07:00
mac80211 mac80211: fix purging multicast PS buffer queue 2016-09-07 08:32:41 +02:00
mac802154
mpls
netfilter netfilter: x_tables: check for size overflow 2016-09-15 08:27:50 +02:00
netlabel netlabel: add address family checks to netlbl_{sock,req}_delattr() 2016-08-20 18:09:22 +02:00
netlink netlink: Fix dump skb leak/double free 2016-06-24 10:18:16 -07:00
netrom
nfc
openvswitch vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices 2016-06-24 10:18:18 -07:00
packet packet: Use symmetric hash for PACKET_FANOUT_HASH. 2016-07-27 09:47:31 -07:00
phonet
rds rds: fix an infoleak in rds_inc_info_copy 2016-09-15 08:27:51 +02:00
rfkill
rose
rxrpc
sched net_sched: fix mirrored packets checksum 2016-07-27 09:47:31 -07:00
sctp
sunrpc SUNRPC: allow for upcalls for same uid but different gss service 2016-09-07 08:32:36 +02:00
switchdev switchdev: pass pointer to fib_info instead of copy 2016-06-24 10:18:16 -07:00
tipc tipc: move linearization of buffers to generic code 2016-09-24 10:07:35 +02:00
unix af_unix: fix hard linked sockets on overlay 2016-07-27 09:47:33 -07:00
vmw_vsock VSOCK: do not disconnect socket when peer has shutdown SEND only 2016-05-18 17:06:41 -07:00
wimax
wireless Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" 2016-09-24 10:07:41 +02:00
x25 net: fix a kernel infoleak in x25 module 2016-05-18 17:06:43 -07:00
xfrm
compat.c
Kconfig
Makefile
socket.c
sysctl_net.c net: Use ns_capable_noaudit() when determining net sysctl permissions 2016-09-15 08:27:50 +02:00